[Pdns-users] pdns generates records when presigned=1 is set

[Michael Braunoeder]

Hi,

I noticed a strange dnssec behavoir with pdns 3.0 (and postgresql-backend):

I have loaded a zone into the db, the zone is unsigned but the 
domainmetadata "presigned" is set to 1.

Everything works fine, except if I ask for a non-available record (with 
dnssec-ok flag set in the query), then I receive 2 additional NSEC-records:

Without DNSSEC-OK Query flag:

;; QUESTION SECTION:
;xxxx.unsigned.at.              IN      A

;; AUTHORITY SECTION:
unsigned.at.            3600    IN      SOA     ns2.at43.at. 
office.enum.at. 2 1200 3600 604800 600

With DNSSEC-OK Query flag:

;; QUESTION SECTION:
;xxxx.unsigned.at.              IN      A

;; AUTHORITY SECTION:
unsigned.at.            3600    IN      SOA     ns2.at43.at. 
office.enum.at. 2 1200 3600 604800 600
www.unsigned.at.        3600    IN      NSEC    www.unsigned.at. A AAAA 
RRSIG NSEC
unsigned.at.            3600    IN      NSEC    www.unsigned.at. A NS 
SOA MX AAAA RRSIG NSEC DNSKEY

I know this setup (PRESIGNED=1 and an unsigned domain) is an 
undocumented setup, but I think it will be a good feature if PRESIGNED=1 
disables all automatic record generation and pdns serves only the 
records it has configured in its backend. So it will be possible, if I 
have a lot of slave zones, which are mixed between DNSSEC signed and 
non-signed, to configure all zones the same way (like in Bind).

Do you have any comments on this?

Best,
Michael